EU AI Act August 2026: your business is liable even outside the EU

7 March 2026Brett Alegre-Wood6 min read

EU AI Act 2026AI Governance ComplianceHigh-Risk AI SystemsEU AI Act PenaltiesExtraterritorial AI RegulationSingapore AI GovernanceAI Compliance

Listen to this article0:00 / 4:35

Two AI hosts discuss this article. Generated from the text.Download

TL;DR

The EU AI Act comes into full force for high-risk AI systems on 2 August 2026. Its extraterritorial reach means that if your product or service touches an EU citizen, the full force of the law applies to you, regardless of where your company is registered. Fines for the most serious breaches reach €35 million or 7% of global annual turnover, whichever is higher. Your government, whether in Canberra or Westminster, is not going to guide you through this.

What is the EU AI Act, and why does it reach your desk?

This is not niche European bureaucracy you can dismiss from the other side of the world. The EU AI Act is a comprehensive legal framework governing how artificial intelligence systems can be used, particularly where they make decisions that affect people's lives, livelihoods, or fundamental rights. And like the GDPR before it, it has been deliberately designed to regulate the market rather than the company's physical location.

If your product serves EU citizens, you are subject to EU law. Full stop.

The logic mirrors product safety standards. If you sell a children's toy into Germany, it must meet German safety requirements, no matter where your factory is. The EU has applied exactly the same principle to AI. If your AI-powered product or service is used by people in the EU, whether that is a recruitment tool, a performance-monitoring CRM, a lending model, or an insurance pricing engine, you are on the hook.

Remember the GDPR panic? The consultants charging a fortune, the last-minute scramble? This is GDPR on steroids, with a shorter fuse and, arguably, even bigger consequences. The difference is that the AI Act is not just about data privacy. It is about safety, ethics, and who is held responsible when an algorithm makes a life-altering decision.

The August 2026 deadline: how close is it really?

The key date is 2 August 2026. That is when obligations for high-risk AI systems fully apply. In regulatory terms, that is already tomorrow. Building a compliant conformity assessment, assembling technical documentation, auditing third-party tools for bias, and putting data governance frameworks in place does not happen overnight. Businesses that have not started are already behind.

What counts as a high-risk AI system?

This is where most businesses get caught off-guard. When people hear "high-risk AI" they imagine autonomous weapons or surgical robots. The reality is far more mundane, and far more likely to be embedded in software you are already running today.

Under Annex III of the Act, high-risk AI systems include:

Recruitment and CV screening tools, any AI that ranks candidates or filters applications directly affects a person's livelihood
Worker management systems, AI used to monitor performance, suggest promotions, or identify underperformers
Credit and lending models, AI used by banks or lenders to assess business loan applications
Insurance pricing engines, AI that sets premiums based on automated risk profiling
AI used in critical infrastructure, education, law enforcement, and the administration of justice

You could be running a dozen of these right now, embedded in off-the-shelf SaaS products, with no idea the vendor has AI baked into them. That does not reduce your liability. You are the deployer. You are accountable. When a regulator from an EU member state comes asking for your conformity assessment, your risk management documentation, and your data governance logs, "I didn't know" is not a defence.

Start here

See where AI fits in your business. Free.

A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.

The penalties are not a cost of doing business

The fines under the EU AI Act have been calibrated to get the attention of even the largest companies in Silicon Valley. They are not a regulatory tap on the wrist.

Up to €35 million or 7% of global annual turnover, whichever is higher, for using prohibited AI systems
Up to €15 million or 3% of global annual turnover for non-compliance with the requirements for high-risk systems

Those are business-ending numbers for most mid-market companies. The EU is not bluffing. They have already demonstrated with GDPR enforcement that they are prepared to pursue companies headquartered on the other side of the world, and they have drawn a very clear, very bright line in the sand.

The UK and Australia have left you exposed

While the EU has been building this comprehensive legal framework, the UK and Australian governments have been conspicuously absent. The result for businesses in both countries is the worst of all possible worlds: a full legal obligation to comply with EU rules when serving EU customers, but absolutely no equivalent domestic guidance to help them do it.

The official Australian government position is that "existing laws are sufficient." This conveniently sidesteps the fact that existing discrimination law was never designed to unpick bias embedded in historical training data. In the UK, the government's fixation on being seen as "pro-innovation" has produced a chaotic environment, responsibility distributed across individual, under-resourced sector regulators, and copyright policy for AI training thrown into complete disarray.

This is not leadership. It is a dereliction of duty. British and Australian businesses are being left to navigate a legal and technical minefield on their own, while politicians congratulate themselves for not stifling innovation.

Singapore shows what responsible AI governance actually looks like

If you want to see a mature, proactive approach to AI governance, look at Singapore. They are not pretending the problem does not exist. They have a National AI Council, a clear and funded national strategy in NAIS 2.0, and have developed AI Verify, a testing framework and toolkit that helps businesses conduct technical tests and produce governance reports.

Singapore is demonstrating something important: pro-innovation and pro-governance are not opposites. Good governance builds institutional trust. Trust accelerates adoption. By creating a clear, coordinated ecosystem, Singapore is building a genuine competitive advantage through clarity and foresight, while UK and Australian businesses are left to fend for themselves in the dark.

Are you ready for the regulator to knock?

Here are the practical questions a EU regulator will ask:

Do you have a complete, up-to-date inventory of every AI system and tool used in your business, including third-party plugins, APIs, and features embedded in your SaaS products?
Have you conducted a documented risk assessment identifying which systems qualify as high-risk under Annex III?
Do you have technical documentation from each system's manufacturer?
Can you demonstrate that your AI systems are free from harmful bias?
Do you have data governance processes, quality management systems, and risk management frameworks in place?
Is there a human in the loop with the authority and competence to intervene and override the system?
Can you explain the system's decisions, or is it a black box?

If any of those answers are "no" or "I'm not sure, " you have work to do. This is a board-level risk, not an IT ticket. Ignoring it is not an option.

What to do this week

Audit your AI stack. List every tool, plugin, API, and SaaS product your business uses. Flag anything that makes decisions affecting your employees, customers, or sales pipeline.
Check against Annex III. Run each flagged tool against the EU AI Act's high-risk categories. When in doubt, assume it is high-risk and document accordingly.
Contact your vendors. Ask each one for their conformity assessment documentation. If they cannot provide it, that is your liability gap, and you need to know about it now.
Assign board-level ownership. Someone at the top table needs to own this programme. It cannot be delegated to IT and forgotten.
Start the documentation trail today. Even incomplete documentation demonstrates intent and effort. A total absence of documentation when the regulator arrives is the worst possible position you can be in.

Where to from here

Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.

Live with passion & AI,

Brett

AI talent

Need an AI operator inside your team?

Place a Chief AI Officer, an AI Officer, or embed an Anaboo Forward Deployed Engineer for 3–6 months.

See AI Jobs →

Frequently asked questions

When does the EU AI Act come into full force for high-risk AI systems?

The EU AI Act's requirements for high-risk AI systems apply in full from 2 August 2026. In regulatory terms this deadline is already close, given the volume of documentation, risk assessment, and governance work required to achieve compliance.

Does the EU AI Act apply to businesses based outside the EU?

Yes. The Act has explicit extraterritorial reach. If your AI-powered product or service is used by people within the EU, you are subject to the full requirements regardless of where your business is registered, where your developers are, or where your servers are located.

What are the fines for non-compliance with the EU AI Act?

For the most serious breaches, using prohibited AI systems, fines reach up to €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with the specific requirements for high-risk systems carries fines of up to €15 million or 3% of global annual turnover.

What counts as a high-risk AI system under the EU AI Act?

Annex III of the Act lists high-risk categories including AI used in recruitment and CV screening, worker management and performance monitoring, credit and lending decisions, insurance pricing, critical infrastructure, education, and law enforcement. These are common everyday business tools, not science fiction.

Am I liable for AI baked into third-party SaaS tools I use?

Yes. If you deploy a third-party tool that qualifies as high-risk and use it to serve EU customers, you as the deployer carry the compliance responsibility. You need to obtain technical documentation and conformity assessment records from every vendor, their location is irrelevant to your liability.

How has Singapore approached AI governance differently from the UK and Australia?

Singapore has a National AI Council, a funded national strategy in NAIS 2.0, and has developed AI Verify, a testing framework and toolkit that helps businesses conduct technical tests and produce governance reports. The UK and Australia have both avoided creating equivalent frameworks, leaving their businesses without guidance or support.

What should I do right now to prepare for the EU AI Act?

Start by auditing every AI tool your business uses, including third-party plugins and embedded SaaS features. Check each against Annex III's high-risk categories, request conformity documentation from your vendors, and assign board-level ownership to the compliance programme immediately.

About the author

Brett Alegre-Wood

Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.